Security Overview

ABBYY FineReader Server 14 uses Windows authentication. Both local and Active Directory accounts can be used.

To access external resources (e.g. shared folders, SharePoint libraries, e-mail servers, etc.), the authentication mechanisms of the respective external systems should be used.

Interactions between program components

Data between the various ABBYY FineReader Server components is transferred using Windows Remote Procedure Calls. RPCs over Named Pipes and over TCP/IP are both supported (TCP/IP is used by default).

If TCP/IP is used, ports 3990–3993 must be open in Windows Firewall. You can always change these ports if required (see Connection Settings for detailed instructions).

Windows security mechanisms are used to ensure the integrity and security of data transferred between the program components. All traffic between the server and the clients is encrypted.

API

COM-based API

The COM-based API gets the server settings and job states over the Windows RPC protocol. To transfer files and download results, ABBYY FineReader Server's working folders are used.

Web Services API

The server with the COM-based API gets data over HTTP/HTTPS. No authentication is available at the Web Services API level, but you can configure Windows authentication at the IIS level.  

Data storage

Database

ABBYY FineReader Server 14 uses an SQL database to store service data and statistics. For Document Library and Audit workflows, the database stores information about process files, including their full names, metadata, and hash values.

Additionally, an SQLite database is used to store records about finished jobs.

The ABBYY FineReader Server 14 API uses a separate internal database to store information about jobs and their state.  

Temporary files

ABBYY FineReader Server 14 stores temporary document files in the working folders on the Server and Processing Stations (%ProgramData%\ABBYY FineReader Server 14.0). After a job has been processed, its temporary files are deleted.

Passwords

Passwords and tokens in ABBYY FineReader Server 14 are encrypted with 256-bit AES encryption key (high encryption level).

Interactions with external systems

To access local and network folders and to use the Microsoft Exchange Server service, the ABBYY FineReader Server service should be run under a user account that has the appropriate access permissions (see Restarting Services Under a User Account for details).

To access other external resources (e.g. POP3, IMAP, FTP/SFTP, SharePoint, etc.), user credentials must be specified in the workflow.

Access permissions to folders with files to be processed are set in the operating system or in the respective external resource (e.g. an FTP server, a mail service, or a network storage system). Access permissions for the user account used to launch ABBYY FineReader Server 14 should be set up in the OS.

Required permissions

File system

The ABBYY FineReader Server 14 components require standard user account permissions.

Additionally, full access to the %ProgramData%\ABBYY FineReader Server 14.0 folder and all its subfolders is required. 

Additional access permissions may be required for the account used to run the Server Manager when working with network shares. This user account should have the permissions to perform any actions required by the workflow. 

Windows Registry

The ABBYY FineReader Server 14 components require standard user account permissions.

The Remote Administration Console and operator stations require full access to the Computer\HKEY_CURRENT_USER\Software\ABBYY\FineReaderServer registry key and all its subkeys.

Additional permissions

To install digital signature certificates on Processing Stations from the Remote Administration Console, the user should have access to the ABBYY FineReader Server 14 certificate located in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\ABBYY\FineReaderServer, both on the Remote Administration Console and on the Processing Station computers.

To authenticate with Active Directory, the user account running the Server Manager must have read permissions to get the Active Directory group membership.

Roles and access permissions

An ABBYY FineReader Server user can have any of the following roles:

  • Administrator
  • Verifier
  • Indexer
  • Scanning Operator

Users and groups added to ABBYY FineReader Server 14 must be in the domain or on the machine where the Server Manager is installed.

  • A Windows group can act as an ABBYY FineReader Server 14 user. In this case, all members of that group will have the role.
  • Users who are not administrators will be not able to configure the program and workflows, nor manage Processing Stations or other users.
  • Administrators can restrict operators' access to certain workflows but operators will have full access to all the features available on their stations (e.g. they will be able to modify, approve, or reject documents).

For more information, see Users Node.

20.09.2022 9:27:51

Please leave your feedback about this article

Usage of Cookies. In order to optimize the website functionality and improve your online experience ABBYY uses cookies. You agree to the usage of cookies when you continue using this site. Further details can be found in our Privacy Notice.